orbit-oss/flask
4
4
Fork 2
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Re-order by semantic. Fix link on flask-talismand and re-word many concepts

Browse source
This commit is contained in:
Lowell Abbott 2017-05-23 12:26:43 -07:00
parent ee7cb9d6b2
commit 09a0d2ebd1
1 changed files with 38 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

69
docs/security.rst
View file

@ -109,25 +109,12 @@ Security Headers
---------------- ----------------
This section contains a list of headers supported by Flask. This section contains a list of headers supported by Flask.
To configure HTTPS and handle the headers listed below we suggest the package `flask-talisman <https://github.com/GoogleCloudPlatform/flask-talisman>`. To configure HTTPS and handle the headers listed below we suggest the package `flask-talisman <https://github.com/GoogleCloudPlatform/flask-talisman>`_.
Content Security Policy (CSP)
-----------------------------
Enhance security and prevents common web vulnerabilities such as cross-site scripting and MITM related attacks.
Example:
.. sourcecode:: none
Content-Security-Policy: default-src https:; script-src 'nonce-{random}'; object-src 'none'
See also `Content Security Policy <https://csp.withgoogle.com/docs/index.html>`_.
HTTP Strict Transport Security (HSTS) HTTP Strict Transport Security (HSTS)
------------------------------------- -------------------------------------
Redirects http requests to https on all urls, preventing MITM attacks. Redirects http requests to https on all urls, preventing Man-in-the-middle (MITM) attacks.
Example: Example:
@ -139,7 +126,20 @@ Example:
See also `Strict Transport Security <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security>`_. See also `Strict Transport Security <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security>`_.
X-FRAME-OPTIONS (Clickjacking protection) HTTP Public Key Pinning (HPKP)
------------------------------
This enables your web server to authenticate with a client browser using a specific certificate key to prevent Man-in-the-middle (MITM) attacks.
Example:
.. sourcecode:: none
Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime [; includeSubDomains][; report-uri="reportURI"]
See also `Public Key Pinning <https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning>`_.
X-Frame-Options (Clickjacking protection)
----------------------------------------- -----------------------------------------
Prevents the client from clicking page elements outside of the website, avoiding hijacking or UI redress attacks. Prevents the client from clicking page elements outside of the website, avoiding hijacking or UI redress attacks.
@ -155,7 +155,7 @@ See also `X-Frame-Options <https://developer.mozilla.org/en-US/docs/Web/HTTP/Hea
X-Content-Type-Options X-Content-Type-Options
---------------------- ----------------------
Prevents XSS by blocking requests on clients and forcing them to read the content type instead of first opening it. This header prevents Cross-site scripting (XSS) by blocking requests on clients and forcing them to first read and validate the content-type before reading any of the contents of the request.
.. sourcecode:: none .. sourcecode:: none
@ -163,10 +163,27 @@ Prevents XSS by blocking requests on clients and forcing them to read the conten
See also `X-Content-Type-Options <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options>`_. See also `X-Content-Type-Options <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options>`_.
Content Security Policy (CSP)
-----------------------------
Enhances security and prevents common web vulnerabilities such as cross-site scripting (XSS) and Man-in-the-middle (MITM) related attacks.
Example:
.. sourcecode:: none
Content-Security-Policy: default-src https:; script-src 'nonce-{random}'; object-src 'none'
See also `Content Security Policy <https://csp.withgoogle.com/docs/index.html>`_.
Cookie options Cookie options
-------------- --------------
For setting cookies on client-side storage. While these headers are not directly security related, they have important options that may affect your flask application.
- ``Secure`` limits your cookies to HTTPS traffic only.
- ``HttpOnly`` protects the contents of your cookie from being visible to XSS.
- ``SameSite`` ensures that cookies can only be requested from the same domain that created them but this feature is not yet fully supported across all browsers.
Example: Example:
@ -174,17 +191,7 @@ Example:
Set-Cookie: [cookie-name]=[cookie-value] Set-Cookie: [cookie-name]=[cookie-value]
See also `HTTP cookies <https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Secure_and_HttpOnly_cookies>`_ . See also:
HTTP Public Key Pinning (HPKP) - Mozilla guide to `HTTP cookies <https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Secure_and_HttpOnly_cookies>`_.
------------------------------ - `OWASP HTTP Only <https://www.owasp.org/index.php/HttpOnly>`_.
For associating clients with web servers through a certificate key and prevent MITM attacks.
Example:
.. sourcecode:: none
Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime [; includeSubDomains][; report-uri="reportURI"]
See also `Public Key Pinning <https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning>`_.